Rapid7 Blog

PCI 30 sec newsletter #8 - DSS in a nutshell

POST STATS:

SHARE

PCI DSS was originally developed by MasterCard and Visa through an alignment of security requirements contained in their respective programs to secure ecommerce: the Site Data Protection for MasterCard and the Cardholder Information Security Plan (CISP) for VISA US.

PCI DSS adopts a top down approach. It starts with six high level "goals": a confusing terminology as the unique goal of the program is to protect cardholder data while transmitted, processed and stored by an entity. I would prefer calling them sections or domains. Those “goals” are then mapped against 12 requirements that each subdivide into more granular requirements. Each requirement comes with a set of corresponding testing procedures.

So thinking that PCI DSS compliance is just about implementing 12 requirements is inaccurate. There are more than 200 specific requirements.

The schema below depicts the combination of the two first layers of requirements:

High level requirements

R2: Don't use vendor-supplied defaults for system passwords and other security parameters

R3: Protect stored cardholder data

R4: Encrypt transmission of cardholder data across open, public networks

R5: Use and regularly update anti-virus software

R6: Develop and maintain secure systems and applications

R7: Restrict access to cardholder data by business need-to-know

R8: Assign a unique ID to each person with computer access

R9: Restrict physical access to cardholder data

R10: Track and monitor all access to network resources and cardholder data

R11: Regularly test security systems and processes

R12: Maintain a policy that addresses information security

Side Notes:

1. Why 6 domains and 12 requirements? Actually the MasterCard SDP and Visa CISP programs consisted respectively of 12 and 6 requirements. As both wanted to keep their numbering they reached a compromise. So the current structure of the PCI DSS is the end result of a compromise

SHARING IS CARING

AUTHOR

Want more? Don’t miss these posts

As you may have already seen, the Wall Street Journal is currently putting together its FASTech 50; a list of the 50 most innovative tech startups around. To create a bit of buzz for this, the publication has asked the Twitter community to nominate…

As of this writing, Metasploit has 152 browser exploits. Of those, 116 use javascript either to trigger the vulnerability or as a means to control the memory layout of the browser process [1]. Right now most of that javascript is static. That makes it easier…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.